Missing validation for data from D-Bus #302
Comments
|
From the perspective of the D-Bus protocol and the ruby-dbus bindings library, this is out of scope: a That said, there's an example from NM and a related bug in ruby-dbus: Just for reference, we've recently seen how NetworkManager handles this kind of errors, in mvidner/ruby-dbus#124:
Even when ruby-dbus has the type information, for properties, it still fails to check the types. That's part of mvidner/ruby-dbus#118. Example: $ sudo busctl --system \
call \
org.opensuse.DInstaller.Questions \
/org/opensuse/DInstaller/Questions1 \
org.opensuse.DInstaller.Questions1 \
New sasas "should I stay or should I go" 2 yes no 1 yes
$ sudo busctl --system \
set-property \
org.opensuse.DInstaller.Questions \
/org/opensuse/DInstaller/Questions1/1 \
org.opensuse.DInstaller.Question1 \
Answer i 13
Failed to set property Answer on interface org.opensuse.DInstaller.Question1: undefined method `to_sym' for 13:Integer
backend.answer = option.to_symThe exception comes from a random place in the method body, not from a typechecking guard. So when I add the missing type checks, I'll keep in mind an option to let the methods be usable by applications for "custom properties". |
|
Now that we have switched from D-Bus to HTTP as main communication protocol, I closing this. I know D-Bus is still used internally at some parts, but this is likely not worth any investment. Feel free to reopen if you disagree. |
The D-Bus API provided by D-Installer uses variant type for some values. For example, when calling to calculate a new storage proposal:
There is no validation from backend size about the types sent, so it could fail if it receives an unexpected value:
The backend should verify the data received from D-Bus.
The text was updated successfully, but these errors were encountered: